Opened 6 years ago

#1926 new improve feature

security page

Reported by: guaka Owned by:
Priority: major Milestone: unassigned
Component: unknown Keywords: security


Create a security page with "two things: a working, monitored email address and a PGP key"


"The first step is a preventative inoculation: If you run an application on the Internet, you should today establish a security contact page. It only needs to include two things: a working, monitored email address and a PGP key. Bonus points for giving some sort of public recognition to people who report security vulnerabilities to you in a responsible matter. This helps to co-opt some security researchers so that they e.g. get in touch with you about the problem prior to just going ahead an exploiting it. Software security has a curious system of social norms, where scalp collecting both builds both karma and pseudo-currency. It’s bizarre, but just take this on faith: having a security page with a working email gives you a certain amount of We Should Avoid #’#(ing Their #()#% Up Without Asking First street cred. (Naturally, like any social norm, that is a preventative measure rather than a panacea. However, given that it is a well-understood norm, it gives you a bit of an edge in the PR battle should someone decide to just drop a 0-day on you.)

Good security pages to pattern after: 37signals (I particularly like how this page works for responsible disclosure while, in a dual-audience fashion, also doubles as being great marketing copy), Twilio, Heroku (again, dual audience), etc."

Change History (0)

Note: See TracTickets for help on using tickets.